Why surveillance companies hate the iPhone

By Craig Timberg

August 12, 2014 — 2.19pm

The secrets of one of the world's most prominent surveillance companies, Gamma Group, spilled onto the internet last week, courtesy of an anonymous leaker who appears to have gained access to sensitive corporate documents.

While they provide illuminating details about the capabilities of Gamma's many spy tools, perhaps the most surprising revelation is about something the company is unable to do: it can't hack into your typical iPhone.

Companies that make surveillance tools are said to hate the iPhone's security features.Credit:Reuters

Android phones, some Blackberries and phones running older Microsoft operating systems all are vulnerable to Gamma's spyware, called FinSpy, which can turn a smartphone into a potent surveillance device. Users of the spyware are capable of listening to calls on targeted devices, stealing contacts, activating the microphone, tracking the owner's location and more.

But for FinSpy to hack into an iPhone, the phone's owner must have already stripped away much of its built-in security through a process called "jailbreaking". No jailbreak, no FinSpy on your iPhone, at least according to a leaked Gamma document dated April 2014.

Advertisement

This is good news for people with iPhones, and perhaps for Apple as well. But at a time of rising concern about government surveillance powers, it's ironic that a different mobile operating system - Google's Android - has emerged as the global standard, with a dominant share of the world market. Android phones have more features. They come in more shapes, sizes and colours. And they're cheaper. But, it's increasingly clear, they are more vulnerable to the Gammas of the world, which develop and sell surveillance systems to police and government intelligence services.

The result is what might be called a growing "surveillance gap". Some civil libertarians have begun pointing out that the people on the safer side of that gap - with stronger protections against the potential for government abuse - are the relatively affluent people who already favour Apple products. Those willing to pay a premium for an iPhone or iPad, perhaps for their design elegance or ease of use, are also getting disk encryption by default, an instant messaging system that resists eavesdropping and an operating system that even powerful surveillance companies have trouble cracking.

Such features don't tend to star in Apple's glossy marketing campaigns because most shoppers likely think little about security when choosing their consumer electronics. Yet the consequences can be serious if a government anywhere in the world decides to target someone with FinSpy, or if a police officer or border patrol agent attempts to browse through a person's smartphone - or worse still, copy its entire contents for later examination.

"Technology can protect you from your own government. It can protect you from somebody else's government. If you live in an authoritarian country, the disk encryption feature built into the [operating system] may be the thing keeping you safe," Christopher Soghoian, the principal technologist for the ACLU, said in a speech last month. "It may be the thing keeping you from being beaten by the secret police. So it's vital that these features reach average users."

The Gamma Group, with headquarters in Germany and Britain, did not respond to an email requesting comment and has kept quiet generally in the week since a Twitter account - with the obviously bogus name "Phineas Fisher@GammaGroupPR" - first appeared online. (Many of the documents also are posted on Netzpolitik.org, a German site the promotes digital civil rights.)

The files include price lists for various surveillance products - FinSpy can cost governments nearly $US4 million - as well as detailed descriptions of other spy tools and a 126-page user manual for FinSpy. Researchers and journalists combing through some of the leaked documents also have found evidence that FinSpy had been used against lawyers and activists in Bahrain. ProPublica reported it has been deployed on computers in the United States, Britain, Russia and many other countries.

Yet the user manual and other documents make clear that even powerful, expensive spyware such as FinSpy have their limits.

That's why the choice of smartphones matters. Android phones are, by design, open source systems that give programmers a wide range of powers in making apps work how they want them to. Apple, by contrast, controls the development of the hardware and operating system, and it manages what's available in the App Store more aggressively than Google does for its Play store.

"Android is infinitely more exploitable than" Apple's operating system, said Bart Stidham, a longtime telecommunications system architect based in Virginia.

"Apple is the most vertically integrated technology company in the world. That means they have the ability to control every aspect of their devices, including the security... There are just huge swaths of Android that are outside the control of Google."

That mantle used to belong to BlackBerry which is still considered the gold standard in mobile security.

There also are countless different Android phones circulating in the world - different models by different manufacturers, made to work on different networks in different countries. And few of them are updated regularly with the latest version of the Android operating system, increasing the risk to all forms of attacks - from both criminal and government hackers.

"It's a much more open ecosystem, which unfortunately makes it more vulnerable," said Bill Marczak, a research fellow for Citizen Lab at the University of Toronto's Munk School of Global Affairs who has tracked the use of government spyware. "If you don't know what you're doing, an iPhone is harder to screw up on."

There are nuances to all this. Savvy users can activate disk encryption on Android phones by changing the settings. And all Android phones are much safer when users get their apps only from Google's Play store rather than third-party stores, which are more likely to contain malicious software.

It's also worth noting that just because Gamma Group has trouble getting FinSpy onto iPhones doesn't mean they are impregnable.

Other surveillance companies may have better intrusion technology. Or an intelligence service could hack into the computer that syncs up with an iPhone. Or maybe Gamma has found a way in since that document was published in April. And plenty of Apple lovers, especially in other countries, jailbreak the iPhones in search of enhanced capabilities - and in the process open the door to FinSpy.

Yet for all that, the surveillance gap is there. Unless Apple somehow rallies in the face of Android's global rise - or Google makes fundamental changes to the operating system's security - the gap will only grow.